Hello everyone, earlier we discussed about the Cyber Kill Chain and the various stages of Advanced Persistent Threats (APT’s).
We also discussed on one way of protecting the delivery of the bad code to your systems by using Edge browser.
We saw mechanisms to avoid execution of malicious code or exploitation of your OS or applications.
I was in a well-known training center recently and was given a laptop for use. The laptop had an excel file named ORGPasswords and I assumed correctly that it had the list of usernames and passwords of multiple users for various resources in that organizations. I opened the browser and WOW, I was on the OWA page with credentials saved. If I were an adversary , I could have done many adverse actions and had an opportunity to steal the critical organizational data.
Credential harvesting can be done in many ways by the adversaries and leverage them to align with their objectives. A staggering 81% of hacking related breaches leveraged either stolen and/or used weak passwords.
Say for example, if one of your employee mistakenly enters his corporate credentials on a phishing website or his credentials were shoulder surfed while he tried to login from his mobile device while he was travelling in a public transport. The attacker can now use these credentials and gain access to what he should not be accessing. Some malware on the system has a key logger which captures your keystrokes and send it to the attacker sitting remotely or it hacks the Local Security Authority Cache and steals the NTLM hashes and passes this hash to do lateral movement in your organization (Pass the Hash Attacks)
Humans are the Weakest links in Information Security and there need to be strong technological countermeasures in place to protect your Identities, Devices and Data. With the change in perimeter of your data (more and more data moving outside the organizational premises), it is imperative for an enterprise to consider technology to additional layers of protection.
Microsoft M365 offer a set of solutions to offer a layered protection against various Identity thefts.
Azure AD Identity Protection helps in Protecting identities irrespective of their privilege level and prevent compromised identities from being misused. Identity Protection is more than a Monitoring and Reporting Tool. It uses adaptive machine learning to detect vulnerabilities and Risky accounts, Investigation of Risk accounts and Risk based conditional access.
Coming to the earlier scenario where the attacker has the credential of one of your employee and now he tries to access your resources from a remote location, untrusted PC or even through a TOR browser, the adaptive machine learning alert and block or prompt for multifactor authentication.
Azure Privilege Identity management allows an organization to reduce the number of people having access to the sensitive information or resources thus reducing the chances or the attack surface for an attacker getting access to those resources or a authorized user inadvertently messing with the integrity. It allows you to Enable on demand or just in time access to your resources, alerts and reporting on the privileged access. Consider a scenario where some credential in your organization are stolen. Adversary still won’t be able to access the sensitive information now.
Let us consider a typical security incident, where the user receives a document with a malicious code embedded into it and the user inadvertently executes the code. The code now initiates a Privileged Identity Attack. How if there is something native which can detect it and trigger conditional access based on this detection? That is what exactly Windows Defender Advanced Threat Protection’s integration with Microsoft Intune does. Based on the acceptable level of risk and policies configured in Intune and provide conditional access to the resources.
With the increased frequency and complexity of Cyberattacks, protection of credentials either on cloud or on premises is important. Azure Advance Threat Protection is a cloud service that parses Kerberos, DNS, RPC,NTLM, etc. traffic from multiple data sources and searches for attacks like Pass the ticket, Pass the Hash, Golden Ticket, Overpass the Hash and so on.
Finally let’s consider the scenario mentioned earlier where the attacker drops some malware on your computer and tries to hack the Local Security and Authority Service (LSAS) to steal the derived credentials. Once the succeed in doing so, they can use these derived credentials to do lateral movements in your environment (Pass the Hash Attacks). This kind of technique is used in many Advanced Persistent Threats. Windows Defender Credential Guard uses Virtualization based technology to isolate the LSAS service and protect or encrypt your derived credentials and mitigate such attacks.
Adaptive Machine Learning, AI, Cloud Powered solutions and resilient and hardened Windows 10 Operating System all offer a layered approach to protect your Identities, Devices and Data and thus reducing the attack surface protecting your IP and sensitive data.